Modernizing Authentication — What It Takes to Transform Secure Access
Some businesses embrace it – and some recoil. But either way, Bring Your Own Device (BYOD) policies continue to grow increasingly widespread.
The common arguments in favor of BYOD focus on productivity and accounting. Employees, it is said, can be more productive using their own preferred devices and, in some cases, software. Further, businesses can arguably save money by leaving provisioning in the hands of employees – who tend to upgrade their own personal devices more quickly than businesses do throughout the organization.
But putting business data and intelligence in the hands of employee-owned (and often mobile) devices is not without risk. Some of these risks can be managed through the emerging adoption of mobile device management (MDM) – centralized software that extends a leash to devices, whether owned by the company or the employees.
When it comes to allowing personal devices into the business network, five common risk cases emerge – besides the possibility that employees will spend all day playing Angry Birds.
1. Users Installing Unvetted Apps
When your employee’s mobile device contains business data – or simply access credentials to it – the software applications they install could invite risk.
For Android devices especially, there is an increased risk of installing apps with malware. The risk is much higher when users install apps from unofficial sources, which is relatively easy to enable on most Android devices.
While iOS users are more constrained to Apple’s walled garden of the App Store, even legitimate apps could reveal information that some businesses might want to protect, such as location. Unvetted apps used to access business resources – such as an unapproved email app – could be even riskier because the user will submit login credentials, which may be stored on the app provider’s server, itself of unknown security.
Most MDM platforms let you publish a list of approved apps to devices, restricting users from installing any app they like. The problem? Some employees may bristle that such a tight grip undermines the appeal of BYOD in the first place.
2. Users Who Click First, Worry Later
A simple Web browser alone can be all a user needs to inadvertently leak sensitive information. Phishing scams, for example, could tempt click-first-ask-questions-later users into plugging business credentials into a malicious website.
Again, many MDM platforms support whitelisting approved websites or implementing more advanced anti-phishing filters. In some cases you may not need a whole MDM suite, though. For instance, if mobile devices must connect to a corporate VPN, corporate network security solutions (such as a Web application firewall) can do the job.
3. Users Racking up Corporate Charges for Personal Purchases
Who pays for BYOD? If your users pay for their own mobile devices and contracts then they’ll be on the hook for any extra charges they rack up such as paid apps or in-app buys. If the company is footing the bill, though, user-triggered charges could become an accounting headache.
While MDM products can be used to disable in-app purchasing, employees paying their own way probably won’t want such a restriction. Even if you use MDM to restrict mobile purchasing, look out for loopholes. For instance, some products only restrict certain types of purchases (such as in-app) and not others (such as e-books or premium newsstand publications).
4. Users Losing Devices
OMG! Your first thought might not be suitable for print when a user realizes a smartphone or tablet is missing. Lost or stolen, a missing mobile device can present a serious security risk. One of the primary appeals of MDM solutions is a global solution to locking or wiping data from missing phones remotely.
But you don’t necessarily need MDM to defuse a missing device. Apple iOS supports both remote lock and remote wipe for iPhones and iPads registered with Apple’s iCloud. Android users don’t have a single unified solution, but there are free apps like Avast Mobile and Android Lost that do the same. In organizations without MDM, it makes good sense to require BYOD users to install a working remote wipe solution.
5. Users Sharing Devices
Then there are the folks who can be a little…promiscuous with their mobile devices. Tablets especially tend to find their way into the hands of family and sometimes friends. Until robust biometric security is built into mobile hardware, there is no perfect defense. But some intelligent network design can help mitigate the risks.
Securing business resources should avoid making assumptions about who is connecting – that means expiring credentials after reasonable periods of time or a lack of activity. Avoid automatically authorizing devices based on identifiers like MAC address alone, so that guest users of a device must still present credentials to access sensitive data.
The Promise of Multiple Personalities
Many or all of these BYOD risks may be eliminated within a couple of years thanks to the coming of mobile virtualization. With this technology baked into future mobile devices, users will easily be able to maintain multiple identities operating independently within one device. In this scenario, enterprises can use MDM to manage the corporate identity of a BYOD policy, while users can essentially do whatever they want under the personal identity. If only the same technology could be introduced to company cars.
Aaron Weiss is a technology writer and frequent contributor to eSecurity Planet and Wi-Fi Planet.